CAPTCHA Me if You Can!


“CAPTCHA” ? What’s this? Everybody already used CAPTCHA (or “Completely Automated Turing Test To Tell Computers and Humans Apart“). You know those pictures made of deformed letters that you need to understand and type in a specific field to perform some operations like creating some accounts, authenticating, etc. Almost all well-known service providers or applications use them: Google, Yahoo!, PayPal, phpBB. Their goal is easy: forbid bots (computers) to waste resources.

The problem is that computers can now “read” them… Most of the CAPTCHA have been hacked! (even the Yahoo! one has been hacked). On sites like (free!) , even API are available to automatically decode CAPTCHA! They say that the service is provided to help blind people to access resources protected by CAPTCHA on the Internet but how to prevent misusage of this service?

Google recently introduced audio CAPTCHA. Check this audio example. It is a step further but audio can also be converted to text (speed recognition). The sound can be distorded, background noise can be added but new algorithms will always be found to circumvent the CAPTCHA!

In July 2006 (is this blog so old? ;), I already posted an article about another way to distinguish humans and bots: The goal was to select the three “hot” girls between nine random pictures (the project was called HotCaptcha).

Microsoft announced a new solution, more “ethical”, called the Asirra project. Assira means “Animal Species Image Recognition for Restricting Access“).

The Assira Project

It’s easy: Pictures of animal are displayed and you just have to select all cat pictures!

How much time this method will resist? Nobody knows but for sure it will be broken! And even if not broken, some bad guys use the manual way to bypass CAPTCHA. Instead of letting the computer do the job, real humans do it and… they are paid for this business! All combinations of CAPTCHA are stored in databases and ready to be used!

Finally, why loose time to decode CAPTCHA when simple users make it for you? End of 2007, a new worm was spread accross the Internet: Trojan.Captchar.A

Melissa Strip

It displayed a nice girl and asked you to decode CAPTCHA to strip her. Decoded strings were recorded and sent to a central server. Quick and efficient!

Another solution would be to create CAPTCHA based on high-level questions related to the website or forum content. Why not some tests like this one during the creation of a new account on a forum about mathematics? 😉


One comment

  1. the last idea is nice 🙂 MotoModders, for example, could ask: “What is the opcode sequence to reset the security code on Motorola phones to 313373?” (It’s 47*118*1*0*14*000051000049000051000051000055000051.)
    Or “What’s the IP address of OpenDNS secondary server?” (
    Or “Who gained admin privileges on forum?” (erm…)
    “How to open command prompt in Windows setup?” (Shift+F10)

    OTOH, these questions would be too hard for newcomers… maybe HotCaptcha/Asirra is a better idea. (Vidoop uses something like that instead of passwords.)


    About the last question… it is really possible to start cmd.exe while Windoze ExPee is installing. You can even play Solitaire during the time 🙂 Also a good way to recover lost Administrator passwords. (Hey, not everyone has ntpasswd/dban/Knoppix in a floppy “just in case I forget when is my birthday” or such occassions.)

    hmm, wonder what would my teacher say if I accidentially left a DBAN floppy there? 🙂 Just joking.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.